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A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S. C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1)[3 Responsive to communication(s) filed on 04 September 2007 . 
2a)S This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 1-16 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) ^ Claim(s) 1-16 is/are rejected. 

7) Q Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) D The drawing(s) filed on is/are: a)Q accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) Q Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)D All b)D Some * c)Q None of: 

1 .□ Certified copies of the priority documents have been received. 

2. Q Certified copies of the priority documents have been received in Application No. . 

3. D Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 
Response to Amendment 

1. Applicant's amendments filed 09/04/2007 have been entered. As such claims 1 - 4 and 
new claims 5-16 are pending. 

Response to Arguments 

2. Applicant's arguments filed 09/04/2007 have been fully considered but they are not 
persuasive. As it relates to White, it is Applicant's assertion that White does not disclose 
recording some of the behaviors during execution of the code module and then comparing the 
recorded behaviors against recorded behaviors of known malware to identify/determine the 
code module as malware. The Examiner respectfully disagrees. White discloses that samples of 
virus activity are taken and further analyzed at the virus analysis center. For this to take place, 
White further discloses that samples of virus activity are created by replicating the virus by 
running in an emulated environment. It is after enough activity can be gleaned from replication 
that analysis can take place (see page 2, paragraph 2, 4 and 5 and Figure 6). Furthermore 
White discloses that virus samples are stored (see page 2, paragraph 7) and a comparison is 
made between the archived samples and the virus definition to determine exact matches (see 
page 23, paragraph 1). Only upon exact matches of behavior, which White notes as full 
verification, are any further action taken. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis 

for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - (b) the invention was patented or described in a printed 
publication in this or a foreign country or in public use or on sale in this country, more than one year prior to 
the date of application for patent in the United States. 
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3. Claims 1-4 are rejected under 35 USC 102(b) as anticipated by White et al. ("Anatomy of 
a Commercial-Grade Immune System", http://citeseer.ist.psu.edu/white99anatomy.html, 1999), 
hereafter 'White". 

Examiner has pointed out particular references contained in the prior arts of record in the 
body of this action for the convenience of the applicant. Although the specified citations are 
representative of the teachings in the art and are applied to the specific limitations within the 
individual claim, other passages and figures may apply as well. Applicant should consider 
the entire prior art as applicable as to the limitations of the claims. It is respectfully 
reguested from the applicant in preparing the response, to consider fully the entire 
references as potentially teaching all or part of the claimed invention, as well as the context 
of the passage as taught by the prior arts or disclosed by the examiner. 



4. With regard to claims 1 and 2, White discloses a malware detection system and means 
for determining whether a code module is malware according to the code module's exhibited 
behaviors (Fig. 3, page 14), the system comprising: 



at least one dynamic behavior evaluation module (Fig. 6, page 20, Analysis Center reads on 
dynamic behavior evaluation module), wherein each dynamic behavior evaluation module 
provides a virtual environment for executing a code module of a particular type (Section 
"Creation of the replication environment", Page 20: paragraph 1: lines 1-5), and wherein 
each dynamic behavior evaluation module records some execution behaviors of the code 
module as it is executed, wherein the execution behaviors of the code module are recorded 
into a behavior signature corresponding to the code module: (Fig. 6, page 20: item "archive" 
and Section "Analysis", page 21: paragraph 1: lines 5-6, extract good signature and stores in 
the archive for developing virus definition reads on each dynamic behavior evaluation ' 
module records some behaviors which may be exhibited by the code module as it is 
executed into a behavior signature); 

a management module for obtaining the code module and selecting a dynamic behavior 
evaluation module to execute the code module according to the code module's type (Fig. 3: 
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page 20: item "workflow supervisor" and Section "Macro Viruses": page 25: paragraph 1: 
lines 5-7, supervisor accept suspected virus sample and feed into different virtual 
environment for each format and language of Macro Virus reads on a management module 
for obtaining the code module and selecting a dynamic behavior evaluation module to 
execute the code module according to the code module's type); 

a malware behavior signature store storing at least one known malware behavior signature 
(Fig. 3: item archive, Page 20, and Section "The Supervisor" pages 18 and 19, paragraph 3: 
lines 1-2 and Section "Definition generation", Page 21: paragraph 1: lines 1-10, archive and 
virus definition file reads on malware behavior signature store storing at least one known 
malware behavior signature); and 

a behavior signature comparison module that obtains the behavior signature and compares 
the behavior signature to the known malware behavior signatures in the malware behavior 
signature store to determine whether the exhibited execution behaviors of the code module 
match the exhibited execution behaviors of known malware (Section "An active network to 
Handle Epidemics and Floods - Over view", pages 13-15: paragraph 5: lines 1-2, gateway 
scans the sample file against the latest virus definition reads on a behavior signature 
comparison module that obtains the behavior signature and compares the behavior 
signature to the known malware behavior signatures in the malware behavior signature 
store to determine whether the exhibited behaviors of the code module match the exhibited 
behaviors of known malware). 

5. With regard to claim 3, White discloses a method for determining whether a code 
module is malware according to the code module's exhibited behaviors (Fig. 3, page 14), the 
method comprising: 
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selecting a dynamic behavior evaluation module according to the executable type of the 
code module (Fig. 3: page 20: item "workflow supervisor", page 19: paragraph 1 and 2, and 
Section "Macro Viruses", page 25: paragraph 1: lines 5-7, supervisor selects sample and 
dispatch to the particular system as described in Section "Marco viruses" reads on selecting 
a dynamic behavior evaluation module according to the executable type of the code 
module); 

executing the code module in the selected dynamic behavior evaluation module, wherein 
the selected dynamic behavior evaluation module provides a virtual environment in which 
the code module may be safely executed (Section "Creation of the replication environment", 
Page 20: paragraph 1 and 2); 

recording some execution behaviors exhibited by the code module executing in the dynamic 
behavior evaluation module during execution of the code module (Fig. 3: item archive, Page 
20, and Section "The Supervisor" pages 18 and 19, paragraph 3: lines 1-2 and Section 
"Definition generation", Page 21: paragraph 1: lines 1-10, archive and virus definition file 
reads on recording some behaviors exhibited by the code module executing in the dynamic 
behavior evaluation module); 

comparing the recorded execution behaviors exhibited by the code module executing in the 
dynamic behavior evaluation module to known malware execution behaviors (Section "An 
active network to Handle Epidemics and Floods - Over view", pages 13-15: paragraph 5: 
lines 1-2, gateway scans the sample file against the latest virus definition reads on 
comparing the recorded behaviors exhibited by the code module executing in the dynamic 
behavior evaluation module to known malware behaviors); and 
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according to the results of the previous comparison, determining whether the code module 
is malware (Section "An active network to Handle Epidemics and Floods - Over view", 
pages 13-15: paragraph 3: lines 1-6, gateway scans the sample to see if it can handle the 
sample by itself reads on according to the results of the previous comparison, determining 
whether the code module is malware). 

6. With regard to claim 4, White discloses a computer-readable medium bearing computer- 
executable instructions which, when executed, carry out a method for determining whether an 
executable code module is malware according to the code module's exhibited behaviors (Fig. 5: 
page 18) , the method comprising 

selecting a dynamic behavior evaluation module according to the executable type of the code 
module (Fig. 3: page 20: item "workflow supervisor", page 19: paragraph 1 and 2, and Section 
"Macro Viruses", page 25: paragraph 1: lines 5-7, supervisor selects sample and dispatch to the 
particular system as described in Section "Marco viruses" reads on selecting a dynamic 
behavior evaluation module according to the executable type of the code module); 
executing the code module in the selected dynamic behavior evaluation module, wherein the 
selected dynamic behavior evaluation module provides a virtual environment in which the code 
module may be safely executed (Section "Creation of the replication environment", Page 20: 
paragraph 1 and 2); 

recording some behaviors exhibited by the code module executing in the dynamic behavior 
evaluation module (Fig. 3: item archive, Page 20, and Section "The Supervisor" pages 18 and 
19, paragraph 3: lines 1-2 and Section "Definition generation", Page 21: paragraph 1: lines 1-10, 
archive and virus definition file reads on recording some behaviors exhibited by the code 
module executing in the dynamic behavior evaluation module); 
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comparing the recorded behaviors exhibited by the code module executing in the dynamic 
behavior evaluation module to known malware behaviors (Section "An active network to Handle 
Epidemics and Floods - Overview", pages 13-15: paragraph 5: lines 1-2, gateway scans the 
sample file against the latest virus definition reads on comparing the recorded behaviors 
exhibited by the code module executing in the dynamic behavior evaluation module to known 
malware behaviors); and 

according to the results of the previous comparison, determining whether the code module is 
malware (Section "An active network to Handle Epidemics and Floods - Overview", pages 13- 
15: paragraph 3: lines 1-6, gateway scans the sample to see if it can handle the sample by itself 
reads on according to the results of the previous comparison, determining whether the code 
module is malware). 

For claim 5 and similar claims 8, 1 1 and 14, White discloses wherein recording some 
execution behaviors of the code module as it is executed comprises recording executed 
behaviors that are identified in a predefined set of execution behaviors to record (page 21, 
paragraph 5: virus definition... set of source files.. .virus analysis). 

For claim 6 and similar claims 9, 12, and 15, White discloses wherein the predefined set 
of execution behaviors to record corresponds to the dynamic behavior evaluation module in 
which a code module of a particular type may be executed. (Fig. 3: page 20: item "workflow 
supervisor" and Section "Macro Viruses": page 25: paragraph 1: lines 5-7, supervisor accept 
suspected virus sample and feed into different virtual environment for each format and language 
of Macro Virus reads on a management module for obtaining the code module and selecting a 
dynamic behavior evaluation module to execute the code module according to the code 
module's type; page 19, paragraph 3 and paragraph 5: virus definition version... superset of 
previous definition...; page 20, paragraph 1 "classification".. .determine type...) 
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For claim 7 and similar claims 10, 13 and 16, White discloses wherein the predefined set 
of execution behaviors to record corresponds to a set of system calls (page 20, paragraph 1 
"classification". 

Conclusion 

7. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. Mateev et al. in US Patent Application Publication No. 2003/0101381 discloses a 
System and Method for Virus Checking Software which teaches the feature of code behavior 
checker in identifying potentially malicious code. 

8. THIS ACTION IS MADE FINAL Applicant is reminded of the extension of time policy as 
set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from 
the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the 
mailing date of this final action and the advisory action is not mailed until after the end of the 
THREE-MONTH shortened statutory period, then the shortened statutory period will expire on 
the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1 .136(a) will 
be calculated from the mailing date of the advisory action. In no event, however, will the 
statutory period for reply expire later than SIX MONTHS from the mailing date of this final 
action. 

9. Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Laurel Lashley whose telephone number is 571-272-0693. The examiner 
can normally be reached on Monday - Thursday, alt Fridays btw 7:30 am & 5 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron, Jr. can be reached on 571-272-3799. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Laurel Lashley r 




Examiner 
Art Unit 2132 




GILBERTO BARRON j(L 
SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 



